Security This Week: The Panama Papers Law Firm Had Seriously Shoddy Security
This week started off big with the Panama Papers, the largest leak in history. The still-unfolding story uncovered a complex web of global tax evasion perpetuated by world leaders and their friends. Breaking the Panama Papers news required massive coordination: Over 100 journalists used a constellation of encryption tools and methods to help the whistleblower behind the leaks safely deliver 2.6 terabytes of documents.
Turkey had its own data spill this week as well, when an unnamed hacker posted the personal information of 50 million Turkish citizens extracted from poorly secured government servers. In other news, Kate Moussouris, the strategist behind the Department of Defense’s and Microsoft’s bug bounty programs, is branching out as an independent consultant. And a Maryland appeals court ruled that the Baltimore Police Department’s use of cell phone-tracking stingrays requires a warrant, setting a precedent that may inch the stingray debate closer to the Supreme Court.
On a more personal note, people looking for romance online should know they are increasingly common targets for scammers. And now that Facebook has live video, the social media giant is hoping that its users—like you—will help it police inappropriate live content, which will probably include live pornography. And while it might’ve seemed like the FBI’s public brawl with Apple over unlocking the San Bernardino iPhone had finally ended, the government jumped back in the ring by filing an appeal in a New York drug case in a second attempt to compel Apple to break the encryption on another iPhone.
And there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
The computer systems used by Mossack Fonseca, the law firm that was revealed to be a primary conduit for world leaders and corporations seeking off-shore tax havens, are reportedly drastically unsecure. Reports surfaced midweek that its email client had not been updated for years, and that the version of Drupal behind its client portal had at least 25 vulnerabilities. While it’s still unclear who is responsible for the Panama Papers leak, security researchers say details point to a person who was working inside the company.
It’s been two and a half years since a group calling itself The Guardians of Peace hacked Sony in an epic breach, revealing the personal information of thousands of the entertainment company’s employees. In a class action lawsuit with 435,000 of its ex-employees, Sony struck a deal with the plaintiffs in what will amount to a $15 million payout, with a maximum of $10,000 awarded to each individual class action member. The hack, which the US government linked back to North Korea, didn’t just reveal employee data, but also exposed private correspondence between Sony executive staff that revealed embarrassing details about the film industry.
Weeks before the national elections in the Philippines, a hack exposed 55 million voters’ personal information. It’s being called the largest government-related data data breach in history. Reports say that The Philippines’ Commission on Elections was first compromised by Anonymous Philippines; LulzSec Pilipinas subsequently posted personal voter information just days later. Alarmingly, the data was posted in plaintext, including the passport numbers of overseas voters, along with 15.8 million fingerprints. Anonymous Philippines warned the election commission to enact stronger security over the country’s electronic vote counting system.
The security community’s favorite encrypted text messaging app is now available for desktop chatting. That means that people who use Signal can now chat with other Signal users with both hands and seamlessly between mobile and desktop. Signal’s new service works like Apple’s iMessage and allows you to text friends via your computer. Like iMessage, it also offers a high level of encryption. The main difference between Apple’s iMessage and Signal, however, is that Signal works between Apple and Android devices, a huge deal for security-conscious friends who don’t all use the same products. A version of Signal for desktop was in invitation-only mode for the past few months; the crew at Open Whisper Systems released a public version on Thursday.
The Central Intelligence Agency’s own venture capital firm, In-Q-TelA, is funding … a skincare startup. It’s investing in Skincential Sciences, a startup that created a patented technology to remove a thin layer of skin to help clear away blemishes. According to The Intercept, the CIA is interested in the skincare company’s method of DNA extraction, which intelligence agencies can leverage for a variety of uses, including event security and biometric identification programs. In-Q-Tel has been backing Silicon Valley startups for 17 years now, including popular videogame manufacturers and mapping software that was eventually acquired by Google.
James Comey, director of the FBI, claimed this week that the agency’s ability to hack into the iPhone 5 used by the San Bernardino terrorist does not work on newer iPhone models, including the iPhone 6s and 5s. The FBI dropped its very public case against Apple two weeks ago, having obtained the ability to unlock the shooter’s phone via unnamed third party software. While the FBI contends that it can share the software with other law enforcement agencies attempting to open model 5 iPhones, evidence obtained would likely not be permissible in court.